Fixes: U4-6333 - but should fix this better (i.e. centralize the code to clean for xss in JS like we have in c#)

src/Umbraco.Web.UI.Client/src/views/common/legacy.controller.js

@@ -8,7 +8,13 @@
  * 
 */
 function LegacyController($scope, $routeParams, $element) {
-	$scope.legacyPath = decodeURIComponent($routeParams.url);
+
+    var url = $routeParams.url;
+    var toClean = "*?(){}[];:%<>/\\|&'\"";
+    for (var i = 0; i < toClean.length; i++) {
+        url = url.replace(toClean[i], "");
+    }
+    $scope.legacyPath = decodeURIComponent(url);
 }
 
 angular.module("umbraco").controller('Umbraco.LegacyController', LegacyController);